search

aws-samples / lambda-refarch-mobilebackend

Serverless Reference Architecture for creating a Mobile Backend
Apache License 2.0
587 stars 113 forks source link

Policy Document #8

Closed allenchic closed 8 years ago

allenchic commented 8 years ago

Can you provide example of what policy document should look like?

Step 1 - Create a new Amazon Cognito identity pool through the Amazon Cognito dashboard for unauthenticated users. Modify the policy document to allow unauthenticated users to "execute-api:*" for API Gateway. Modify the policy document to allow users to upload to the S3 bucket created in Template One.

waleoladehin commented 8 years ago

Hi samhotnumb,

For the Cognito roles, take a look at these two policy examples: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-policies-s3.html#iam-policy-ex0 http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html

For your Cognito roles you'll have a policy that combines both of the examples above into one policy role. The first action will grant your Cognito user that's unauthenticated to upload into your S3 bucket; the second policy will allow permission for the unauthenticated user to make an API call to API gateway.

If you later on want to get more fine grained access for users, you can add fine grained access control policies where each Cognito User would only have access to their folder inside of an S3 bucket. A good example of a policy like that can be found here: https://docs.aws.amazon.com/cognito/devguide/identity/concepts/iam-roles/ under the S3 Prefix section.

Thanks, Wale

allenchic commented 8 years ago

Thanks . To be clear... It should be

uploadimagebucket = the bucket I created for images apigateway = ???, is this a generic term or should I replace with a specific value in here ?

{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":[ "s3:ListAllMyBuckets" ], "Resource":"arn:aws:s3:::" }, { "Effect":"Allow", "Action":[ "s3:ListBucket", "s3:GetBucketLocation" ], "Resource":"arn:aws:s3:::uploadimagebucket" }, { "Effect":"Allow", "Action":[ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource":"arn:aws:s3:::uploadimagebucket/" }, { "Effect": "Allow", "Action": [ "apigateway:" ], "Resource": [ "" ] }

] }

waleoladehin commented 8 years ago

Hi samhotnumb,

For the api gateway you'll want an execute api policy so it will look like the below:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": "arn:aws:execute-api:::*" } ] }

Also for your policy above, I think you are missing a "" after your ListAllMyBuckets policy: "Resource":"arn:aws:s3:::"

Thanks and let me know if that helps.

allenchic commented 8 years ago

Thanks, I will check.

To be clear replace:

{ "Effect": "Allow", "Action": [ "apigateway:" ], "Resource": [ "" ] }

With

{ "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": "arn:aws:execute-api:::*" }

waleoladehin commented 8 years ago

That's correct. You'll replace the action you created with the one below it. The "execute-api" is used for defining permissions for REST API calls to API gateway. If you want to further restrict access for API calls, you can specific additional resources and actions that correlated to a specific endpoint and action (GET, POST, PUT, etc).

If you'd like to see the additional actions available for API Gateway, you can find them here: http://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html

allenchic commented 8 years ago

good stuff. thanks